I hereby send you the status of your account on 08/Jul/2014.
We recommend you download and keep track of your assets.

The statement is attached to this email in Microsoft Word format.

For any question you can contact Super Business Line.

Best regards,
BANCO SANTANDER.

Attached is a file ESTADOCUENTA_2457.doc which contains a Word Macro virus. However, because most people's settings would stop a Macro virus running then it actually contains detailed instructions on how to remove your security settings.

The content can not be shown.To view the content of this document should enable macros Microsoft Word, then close and reopen the document.

Try the following:Enable Macros and then reopen the document.In this document you will find a guide provided by www.santander.com to enable macros in your Microsoft Word.

Grupo Financiero Santander Mexico - 2014

There then follows several pages with screenshots on how to disable the security in Word and Excel.. doing which of course is a bad idea. Reloading the document will then execute the Macro virus. I have defanged the document and converted it to a PDF file here. A copy of the VBA code is here (thanks to @Techhelplistcom).

The VirusTotal analysis shows just 1/54 virus scanners detect it. The Malwr analysis gives some clues as to what is going on in the string dump, especially the reference to baulretro.cl/tienda/cache/wp/ss.exe (186.64.120.59 / Zam Ltda, Chile) which appears to be a malicious binary (at the moment the file is 404ing, but it was working recently).

The properties of the Word document don't give much of a clue:

Authors are "OFEyDV", last saved by "clein" which matches to a few other recent malicious Spanish-language documents [1][2][3][4]. The creation date indicates that perhaps this started off life as a genuine document and has been adapted for evil purposes.

It's a lot of hard work to get your computer infected, but it does also look quite convincing. Word Macros are very rarely used by anything and you should definitely not fiddle with them if you don't need to.